\usepackage{beamerthemeplaincu}

%\usepackage[T1]{fontenc}

\renewcommand{\slidecaption}{APP 03, King's College London, 1 October 2013}

  \LARGE Privacy Policies (2)\\[-6mm] 

  Slides: & KEATS (also home work is there)\\

\includegraphics[scale=0.45]{pics/trainwreck.jpg}\\

one general defence mechanism is\\\alert{\bf defence in depth}

\end{center}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}<1-2>[c]

\frametitle{Defence in Depth}

\begin{itemize}

\item \alt<1>{overlapping}{{\LARGE\bf overlapping}} systems designed to provide\\ security even if one of them fails.

\end{itemize}

\only<2->{

\begin{textblock}{11}(2,12)

\small otherwise your ``added security'' can become the point of failure 

\end{textblock}}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\frametitle{PALs}

\begin{itemize}

\item \alert{Permissive Action Links} prevent unauthorised use of nuclear weapons (so the theory)

\end{itemize}

\begin{center}

\includegraphics[scale=0.25]{pics/nuclear1.jpg}\hspace{3mm}

\includegraphics[scale=0.25]{pics/nuclear2.jpg}

\end{center}

\onslide<3->{

modern PALs also include a 2-person rule

} 

 \only<2->{

\begin{textblock}{11}(3,2)

\begin{tikzpicture}

\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 

{\begin{minipage}{8cm}

US Air Force's Strategic Air Command worried that in times of need the 

codes would not be available, so until 1977 quietly decided to set them 

to 00000000\ldots

\end{minipage}};

\end{tikzpicture}

\end{textblock}}

\begin{itemize}

\item until 1998, Britain had nuclear weapons that could be launched from airplanes\bigskip\pause

\item these weapons were armed with a bicycle key

\begin{center}

\begin{tabular}[b]{c}

\includegraphics[scale=1.05]{pics/britkeys1.jpg}\\

\small nuclear weapon keys

\end{tabular}

\hspace{3mm}

\begin{tabular}[b]{c}

\includegraphics[scale=0.35]{pics/britkeys2.jpg}\\

\small bicycle lock

\end{tabular}

\end{center}\bigskip\pause

\item the current Trident nuclear weapons can be launched from a submarine without any code being transmitted

\end{itemize}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\frametitle{Access Control in Unix}

\begin{itemize}

\item access control provided by the OS

\item authenticate principals (login)

\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\

\item roles get attached with privileges\bigskip\\%

\hspace{8mm}

\begin{tikzpicture}

\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 

{\begin{minipage}{8cm}

\alert{principle of least privilege:}\\

programs should only have as much privilege as they need 

\end{minipage}};

\end{tikzpicture}

\end{itemize}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\frametitle{Access Control in Unix (2)}

\begin{itemize}

\item the idea is to restrict access to files and therefore lower the consequences of an attack\\[1cm]\mbox{}

\end{itemize}

\begin{textblock}{1}(2.5,9.5)

\end{textblock}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[t]

\frametitle{Process Ownership}

\item access control in Unix is very coarse

\end{itemize}\bigskip\bigskip\bigskip

\begin{center}

\begin{tabular}{c}

root\\

\hline

user$_1$ user$_2$ \ldots www, mail, lp

\end{tabular}

\end{center}\bigskip\bigskip\bigskip

\textcolor{gray}{\small root has UID $=$ 0}\\\pause

\textcolor{gray}{\small you also have groups that can share access to a file}\\

\textcolor{gray}{\small but it is difficult to exclude access selectively}\\

\frametitle{Access Control in Unix (2)}

\begin{itemize}

\item privileges are specified by file access permissions (``everything is a file'') 

\item there are 9 (plus 2) bits that specify the permissions of a file

\begin{tabular}{l}

\texttt{\$ ls - la}\\

\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}

\end{tabular}

\frametitle{Login Process}

\item login processes run under UID $=$ 0\medskip 

\begin{center}

\texttt{ps -axl | grep login}

\end{center}\medskip

\item after login, shells run under UID $=$ user (e.g.~501)\medskip

\begin{center}

\texttt{id cu}

\end{center}\medskip\pause

\item non-root users are not allowed to change the UID --- would break 

access control

\item but needed for example for \texttt{passwd}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\frametitle{Setuid and Setgid}

The solution is that unix file permissions are 9 + \underline{2 Bits}:

\alert{Setuid} and \alert{Setgid} Bits

\begin{itemize}

\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file. 

\item This enables users to create processes as root (or another user).\bigskip

\item Essential for changing passwords, for example.

\end{itemize}

\begin{center}

\texttt{chmod 4755 fobar\_file}

\end{center}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}

\begin{center}

\begin{tikzpicture}[scale=1]

  \draw[line width=1mm] (0, 1.1) rectangle (1.2,2);

  \draw (4.7,1) node {Internet};

  \draw (0.6,1.7) node {\footnotesize Slave};

  \draw[line width=1mm] (0, 0) rectangle (1.2,0.9);

  \draw (0.6,1.7) node {\footnotesize Slave};

  \draw (0.6,0.6) node {\footnotesize Slave};

  \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}};

  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};

  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);

  \draw (-2.9,1.7) node {\footnotesize Monitor};

  \draw[white] (1.7,1) node (X) {};

  \draw[white] (3.7,1) node (Y) {};

  \draw[red, <->, line width = 2mm] (X) -- (Y);

  \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);

  \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);

  \end{tikzpicture}

\end{center}

\begin{itemize}

\item pre-authorisation slave 

\item post-authorisation\bigskip

\item 25\% codebase is privileged, 75\% is unprivileged

\end{itemize}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\frametitle{Network Applications}

ideally network application in Unix should be designed as follows:

\item need two distinct processes

\begin{itemize}

\item one that listens to the network; has no privilege

\item one that is privileged and listens to the latter only (but does not trust it)

\end{itemize}

\item to implement this you need a parent process, which forks a child process

\item this child process drops privileges and listens to hostile data\medskip

\item after authentication the parent forks again and the new child becomes the user

\end{itemize}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws in Unix\end{tabular}}

\begin{itemize}

\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause

\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause

\item \texttt{mkdir foo} is owned by root\medskip

\begin{center}

\texttt{-rwxr-xr-x  1 root  wheel /bin/mkdir}

\end{center}\medskip

it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (automated with a shell script)}

\end{itemize}

\only<1>{

\begin{textblock}{1}(3,3)

\begin{tikzpicture}

\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 

{\begin{minipage}{8cm}

Only failure makes us experts.

	-- Theo de Raadt (OpenBSD, OpenSSH)

\end{minipage}};

\end{tikzpicture}

\end{textblock}}

\frametitle{\begin{tabular}{@ {}c@ {}}Other Problems\end{tabular}}

There are thing's you just cannot solve on the programming side:\bigskip

\begin{itemize}

\item for system maintenance you often have \texttt{cron}-jobs cleaning \texttt{/tmp}\medskip

\begin{itemize}

\item attacker:\\ 

\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}

\item root:\\\texttt{rm /tmp/*/*}:

\item attacker:\\

\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}

\end{itemize}

\end{itemize}

\end{frame}}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\mode<presentation>{

\begin{frame}[c]

\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels\end{tabular}}

Unix essentially can only distinguish between two security levels (root and non-root).

\begin{itemize}

\item In military applications you often have many security levels (top-secret, secret, confidential, unclassified)\bigskip\pause 

\item Information flow: Bell --- La Padula model

\begin{itemize}

\item read: your own level and below

\item write: your own level and above

\end{itemize}

\end{itemize}

\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels (2)\end{tabular}}

\item Bell --- La Padula preserves data secrecy, but not data integrity\bigskip\pause

\item Biba model is for data integrity  

\item read: your own level and above

\item write: your own level and below

\end{itemize}

\end{itemize}